CVE-2021-44398

Vulnerability

The vulnerability resides in the JSON command parser of cgiserver.cgi on the reolink RLC-410W wireless IP camera running firmware version v3.0.0.136_20121102. When processing the rtmp=stop parameter, the parser fails to validate that the value is an object, leading to an improper input validation (CWE-20) condition. This can be triggered via a specially crafted HTTP request without authentication [1].

Exploitation

An unauthenticated attacker with network access to the device can send an HTTP request to the vulnerable API endpoint. The request must include a crafted JSON payload where the rtmp=stop parameter is not an object (e.g., a string or integer). The cgiserver.cgi process will then crash, causing the device to reboot [1].

Impact

Successful exploitation results in a denial of service (DoS) condition by forcing an immediate reboot of the camera. The device becomes temporarily unavailable, interrupting surveillance and recording capabilities. No data integrity or confidentiality is affected, and the attacker does not gain persistent access [1].

Mitigation

As of the publication date of the Talos advisory (January 28, 2022), no firmware update or official fix has been released for this vulnerability. Users should monitor reolink's support channels for a patched version. In the interim, restricting network access to the camera via firewall rules or placing it behind a VPN can reduce exposure [1].